windbg学习---!process
来源:互联网 发布:知柏地黄丸怎么样 编辑:程序博客网 时间:2024/04/29 05:15
!process 0 0 显示进程列表:
kd> !process 0 0**** NT ACTIVE PROCESS DUMP ****PROCESS 823b97c0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00355000 ObjectTable: e1001c48 HandleCount: 274. Image: SystemPROCESS 81dc0458 SessionId: none Cid: 0244 Peb: 7ffd3000 ParentCid: 0004 DirBase: 0cc00020 ObjectTable: e14129d8 HandleCount: 19. Image: smss.exePROCESS 82169128 SessionId: 0 Cid: 0290 Peb: 7ffd4000 ParentCid: 0244 DirBase: 0cc00040 ObjectTable: e101e270 HandleCount: 464. Image: csrss.exePROCESS 81dcdda0 SessionId: 0 Cid: 02a8 Peb: 7ffd4000 ParentCid: 0244 DirBase: 0cc00060 ObjectTable: e161f820 HandleCount: 461. Image: winlogon.exePROCESS 81fcf2c0 SessionId: 0 Cid: 02d4 Peb: 7ffdd000 ParentCid: 02a8 DirBase: 0cc00080 ObjectTable: e1af8a00 HandleCount: 269. Image: services.exePROCESS 81dd3020 SessionId: 0 Cid: 02e0 Peb: 7ffda000 ParentCid: 02a8 DirBase: 0cc000a0 ObjectTable: e1688bc8 HandleCount: 339. Image: lsass.exePROCESS 8214eda0 SessionId: 0 Cid: 0384 Peb: 7ffdd000 ParentCid: 02d4 DirBase: 0cc000c0 ObjectTable: e1be3e40 HandleCount: 25. Image: vmacthlp.exePROCESS 822b4020 SessionId: 0 Cid: 0394 Peb: 7ffd8000 ParentCid: 02d4 DirBase: 0cc000e0 ObjectTable: e1ad9288 HandleCount: 218. Image: svchost.exePROCESS 82154020 SessionId: 0 Cid: 03e4 Peb: 7ffd4000 ParentCid: 02d4 DirBase: 0cc00100 ObjectTable: e1bec600 HandleCount: 247. Image: svchost.exePROCESS 81fe1020 SessionId: 0 Cid: 0444 Peb: 7ffdd000 ParentCid: 02d4 DirBase: 0cc00120 ObjectTable: e1b9bc40 HandleCount: 1138. Image: svchost.exePROCESS 82020910 SessionId: 0 Cid: 0468 Peb: 7ffd6000 ParentCid: 02d4 DirBase: 0cc00140 ObjectTable: e1c2bea8 HandleCount: 51. Image: 360rps.exePROCESS 81e292a0 SessionId: 0 Cid: 04a4 Peb: 7ffd6000 ParentCid: 02d4 DirBase: 0cc00160 ObjectTable: e1852cc0 HandleCount: 77. Image: svchost.exePROCESS 821d3da0 SessionId: 0 Cid: 054c Peb: 7ffd8000 ParentCid: 02d4 DirBase: 0cc001a0 ObjectTable: e1bfe4d8 HandleCount: 194. Image: svchost.exePROCESS 82155438 SessionId: 0 Cid: 0564 Peb: 7ffde000 ParentCid: 02d4 DirBase: 0cc001c0 ObjectTable: e1fbbbb0 HandleCount: 124. Image: ZhuDongFangYu.exePROCESS 821cf8e8 SessionId: 0 Cid: 061c Peb: 7ffd6000 ParentCid: 02d4 DirBase: 0cc001e0 ObjectTable: e1d6d7c0 HandleCount: 129. Image: spoolsv.exePROCESS 81ff03c8 SessionId: 0 Cid: 0740 Peb: 7ffda000 ParentCid: 02d4 DirBase: 0cc00200 ObjectTable: e1ffa9c0 HandleCount: 288. Image: vmtoolsd.exePROCESS 822b9ac0 SessionId: 0 Cid: 0168 Peb: 7ffd4000 ParentCid: 02d4 DirBase: 0cc00260 ObjectTable: e211da28 HandleCount: 104. Image: alg.exePROCESS 81ea9da0 SessionId: 0 Cid: 01ec Peb: 7ffde000 ParentCid: 02d4 DirBase: 0cc002a0 ObjectTable: e16a3ef8 HandleCount: 99. Image: TPAutoConnSvc.exePROCESS 81ccb020 SessionId: 0 Cid: 0660 Peb: 7ffde000 ParentCid: 043c DirBase: 0cc00280 ObjectTable: e2077560 HandleCount: 407. Image: explorer.exePROCESS 81dec7e8 SessionId: 0 Cid: 069c Peb: 7ffda000 ParentCid: 01ec DirBase: 0cc002e0 ObjectTable: e1c94a40 HandleCount: 67. Image: TPAutoConnect.exePROCESS 81c02da0 SessionId: 0 Cid: 02d8 Peb: 7ffda000 ParentCid: 0660 DirBase: 0cc00300 ObjectTable: e1d679a0 HandleCount: 219. Image: vmtoolsd.exePROCESS 81c09020 SessionId: 0 Cid: 010c Peb: 7ffd7000 ParentCid: 0660 DirBase: 0cc002c0 ObjectTable: e1d577c0 HandleCount: 69. Image: ctfmon.exePROCESS 82328b08 SessionId: 0 Cid: 011c Peb: 7ffdf000 ParentCid: 0660 DirBase: 0cc00340 ObjectTable: e20704e8 HandleCount: 106. Image: 360sd.exePROCESS 81c07da0 SessionId: 0 Cid: 01dc Peb: 7ffda000 ParentCid: 011c DirBase: 0cc00320 ObjectTable: e1d6a008 HandleCount: 261. Image: 360rp.exePROCESS 81ed6168 SessionId: 0 Cid: 035c Peb: 7ffde000 ParentCid: 02d4 DirBase: 0cc00360 ObjectTable: e1fdca38 HandleCount: 120. Image: imapi.exePROCESS 822cf4f8 SessionId: 0 Cid: 0854 Peb: 7ffdc000 ParentCid: 0444 DirBase: 0cc00220 ObjectTable: e1451170 HandleCount: 173. Image: wuauclt.exePROCESS 820113b8 SessionId: 0 Cid: 0934 Peb: 7ffde000 ParentCid: 0444 DirBase: 0cc00180 ObjectTable: e1b532c8 HandleCount: 140. Image: wuauclt.exePROCESS 8200e3c0 SessionId: 0 Cid: 0a54 Peb: 7ffda000 ParentCid: 0660 DirBase: 0cc00380 ObjectTable: e1c91ad8 HandleCount: 48. Image: regedit.exe
!process XXX显示指定进程的所有信息, !process XXX 0显示指定进程的基本信息
XXX可以为EPROCESS或进程ID
kd> !process 82155438PROCESS 82155438 SessionId: 0 Cid: 0564 Peb: 7ffde000 ParentCid: 02d4 DirBase: 0cc001c0 ObjectTable: e1fbbbb0 HandleCount: 124. Image: ZhuDongFangYu.exe VadRoot 8200f1d8 Vads 123 Clone 0 Private 1390. Modified 3. Locked 0. DeviceMap e1004440 Token e1c8d9d8 ElapsedTime 00:02:39.519 UserTime 00:00:00.125 KernelTime 00:00:00.187 QuotaPoolUsage[PagedPool] 76204 QuotaPoolUsage[NonPagedPool] 5240 Working Set Sizes (now,min,max) (2345, 50, 345) (9380KB, 200KB, 1380KB) PeakWorkingSetSize 2365 VirtualSize 53 Mb PeakVirtualSize 53 Mb PageFaultCount 3925 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 1572 THREAD 81fe33c8 Cid 0564.056c Teb: 7ffdd000 Win32Thread: e1c6fdb0 WAIT: (Executive) UserMode Non-Alertable 81eead14 NotificationEvent IRP List: 822b83a0: (0006,0094) Flags: 00000900 Mdl: 00000000 Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 4016 Ticks: 7693 (0:00:02:00.203) Context Switch Count 146 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.078 Win32 Start Address nt_400000!FsRtlRemoveAndCompleteWaitIrp (0x004143da) Start Address 0x7c8106f5 Stack Init f808b000 Current f808ac1c Base f808b000 Limit f8087000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0 Kernel stack not resident. ChildEBP RetAddr f808ac34 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) f808ac40 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) f808ac68 80575dd6 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) f808ac90 80572d2a nt!IopSynchronousServiceTail+0xe8 (FPO: [7,0,4]) f808ad38 8053e638 nt!NtReadFile+0x580 (FPO: [Non-Fpo]) f808ad38 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f808ad64) 0012fbc8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 81e2bda8 Cid 0564.05c0 Teb: 7ffdc000 Win32Thread: e2086eb0 WAIT: (DelayExecution) UserMode Non-Alertable 81e2be98 NotificationTimer Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 11705 Ticks: 4 (0:00:00:00.062) Context Switch Count 1460 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address 0x77dc3519 Start Address 0x7c8106e9 Stack Init b2863000 Current b2862cbc Base b2863000 Limit b285f000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 ChildEBP RetAddr b2862cd4 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b2862ce0 804fa79f nt!KiSwapThread+0x46 (FPO: [0,0,0]) b2862d0c 8060db19 nt!KeDelayExecutionThread+0x1c9 (FPO: [3,6,4]) b2862d54 8053e638 nt!NtDelayExecution+0x87 (FPO: [Non-Fpo]) b2862d54 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2862d64) 00a2ff20 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 81fef438 Cid 0564.05c8 Teb: 7ffda000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8221db78 NotificationEvent Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 1834 Ticks: 9875 (0:00:02:34.296) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt_400000!CcExtendVacbArray (0x00410148) Start Address 0x7c8106e9 Stack Init b28f7000 Current b28f6ca0 Base b28f7000 Limit b28f4000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 Kernel stack not resident. ChildEBP RetAddr b28f6cb8 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b28f6cc4 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b28f6cec 805b7126 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) b28f6d50 8053e638 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) b28f6d50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28f6d64) 00c2ff4c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 81e0eda8 Cid 0564.05cc Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReply) UserMode Non-Alertable 81e0ef9c Semaphore Limit 0x1 Waiting for reply to LPC MessageId 00007271: Current LPC port e1c77bc0 Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 4016 Ticks: 7693 (0:00:02:00.203) Context Switch Count 533 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt_400000!FsRtlAddLargeMcbEntry (0x00411b61) Start Address 0x7c8106e9 Stack Init b296f000 Current b296eb94 Base b296f000 Limit b296c000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 Kernel stack not resident. ChildEBP RetAddr b296ebac 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b296ebb8 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b296ebe0 805996cb nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) b296ec94 f854bc80 nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo])WARNING: Stack unwind information not available. Following frames may be wrong. b296ed50 8053e638 Hookport+0x2c80 b296ed50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b296ed64) 00d2fb20 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 81dd2da8 Cid 0564.05d0 Teb: 7ffd8000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 81dfd188 Semaphore Limit 0x7fffffff 81dd2e98 NotificationTimer Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 7594 Ticks: 4115 (0:00:01:04.296) Context Switch Count 10 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x77e56c7d Start Address 0x7c8106e9 Stack Init b289b000 Current b289ac4c Base b289b000 Limit b2898000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 ChildEBP RetAddr b289ac64 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b289ac70 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b289ac98 8059c5b0 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) b289ad48 8053e638 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo]) b289ad48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b289ad64) 00e2ff80 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 822f3da8 Cid 0564.05d4 Teb: 7ffd7000 Win32Thread: e20be2d0 WAIT: (WrUserRequest) UserMode Non-Alertable 821a8300 SynchronizationEvent Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 4017 Ticks: 7692 (0:00:02:00.187) Context Switch Count 101 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.046 Win32 Start Address nt_400000!CcWorkerThread (0x0040f258) Start Address 0x7c8106e9 Stack Init b2843000 Current b2842c20 Base b2843000 Limit b283f000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 Kernel stack not resident. ChildEBP RetAddr b2842c38 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b2842c44 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b2842c6c bf802f52 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) b2842ca8 bf801b2a win32k!xxxSleepThread+0x192 (FPO: [3,5,4]) b2842cec bf819e6c win32k!xxxRealInternalGetMessage+0x418 (FPO: [6,9,4]) b2842d4c 8053e638 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo]) b2842d4c 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2842d64) 012afd30 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 82143460 Cid 0564.0624 Teb: 7ffd6000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 8201d0d0 SynchronizationEvent 81e37190 SynchronizationEvent Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 1852 Ticks: 9857 (0:00:02:34.015) Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x019221a0 Start Address 0x7c8106e9 Stack Init b28cf000 Current b28ce95c Base b28cf000 Limit b28cc000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 Kernel stack not resident. ChildEBP RetAddr b28ce974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b28ce980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b28ce9b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4]) b28ced48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo]) b28ced48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28ced64) 01aafc48 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 81dbcda8 Cid 0564.0628 Teb: 7ffd5000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 822db088 NotificationEvent 822db058 NotificationEvent 8201d0a0 SynchronizationEvent Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 1852 Ticks: 9857 (0:00:02:34.015) Context Switch Count 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x00ff4fa0 Start Address 0x7c8106e9 Stack Init b28bf000 Current b28be95c Base b28bf000 Limit b28bc000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 Kernel stack not resident. ChildEBP RetAddr b28be974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b28be980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b28be9b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4]) b28bed48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo]) b28bed48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28bed64) 01baff2c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 81dbcb30 Cid 0564.062c Teb: 7ffd4000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 81e2ebe8 SynchronizationEvent 82181020 NotificationTimer Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 11708 Ticks: 1 (0:00:00:00.015) Context Switch Count 79 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x76b2aeaf Start Address 0x7c8106e9 Stack Init b28b7000 Current b28b695c Base b28b7000 Limit b28b4000 Call 0 Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr b28b6974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b28b6980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b28b69b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4]) b28b6d48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo]) b28b6d48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28b6d64) 01caffb4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 82181b60 Cid 0564.0630 Teb: 7ffd3000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 81dbcb00 NotificationEvent 822db020 NotificationEvent IRP List: 822b88a8: (0006,0094) Flags: 00000000 Mdl: 00000000 Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 1963 Ticks: 9746 (0:00:02:32.281) Context Switch Count 5 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x00f74f10 Start Address 0x7c8106e9 Stack Init b27d3000 Current b27d295c Base b27d3000 Limit b27d0000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 1 DecrementCount 16 Kernel stack not resident. ChildEBP RetAddr b27d2974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b27d2980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b27d29b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4]) b27d2d48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo]) b27d2d48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b27d2d64) 01daff0c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 81e0d7f0 Cid 0564.0654 Teb: 7ff9f000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 822ee288 NotificationEvent 81e0d8e0 NotificationTimer IRP List: 81ed6710: (0006,0094) Flags: 00000000 Mdl: 00000000 Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 11703 Ticks: 6 (0:00:00:00.093) Context Switch Count 323 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x01f3ca3e Start Address 0x7c8106e9 Stack Init f7fb0000 Current f7fafca0 Base f7fb0000 Limit f7fad000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr f7fafcb8 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) f7fafcc4 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) f7fafcec 805b7126 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) f7fafd50 8053e638 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) f7fafd50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f7fafd64) 0209ff68 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 822ee2b8 Cid 0564.0658 Teb: 7ff9e000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 81fcd6e0 SynchronizationEvent IRP List: 822b87e0: (0006,0094) Flags: 00000970 Mdl: 00000000 Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 6731 Ticks: 4978 (0:00:01:17.781) Context Switch Count 21 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x01f3a108 Start Address 0x7c8106e9 Stack Init b27bf000 Current b27beca0 Base b27bf000 Limit b27bc000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr b27becb8 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b27becc4 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b27becec 805b7126 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) b27bed50 8053e638 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) b27bed50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b27bed64) 0219e918 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 82172da8 Cid 0564.0844 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 81dfd188 Semaphore Limit 0x7fffffff 82172e98 NotificationTimer Not impersonating DeviceMap e1004440 Owning Process 0 Image: <Unknown> Attached Process 82155438 Image: ZhuDongFangYu.exe Wait Start TickCount 7594 Ticks: 4115 (0:00:01:04.296) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x77e56c7d Start Address 0x7c8106e9 Stack Init b1ff4000 Current b1ff3c4c Base b1ff4000 Limit b1ff1000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr b1ff3c64 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b1ff3c70 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b1ff3c98 8059c5b0 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4]) b1ff3d48 8053e638 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo]) b1ff3d48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1ff3d64) 00b2ff80 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
!process 0 0 XXX.exe查找进程
kd> !process 0 0 ZhuDongFangYu.exePROCESS 82155438 SessionId: 0 Cid: 0564 Peb: 7ffde000 ParentCid: 02d4 DirBase: 0cc001c0 ObjectTable: e1fbbbb0 HandleCount: 124. Image: ZhuDongFangYu.exe
查看下ZhuDongFangYu.exe 的token信息
kd> da e1c8d9d8e1c8d9d8 "*SYSTEM*"kd> u e1c8d9d8e1c8d9d8 2a5359 sub dl,byte ptr [ebx+59h]e1c8d9db 53 push ebxe1c8d9dc 54 push espe1c8d9dd 45 inc ebpe1c8d9de 4d dec ebpe1c8d9df 2a00 sub al,byte ptr [eax]e1c8d9e1 0000 add byte ptr [eax],ale1c8d9e3 0000 add byte ptr [eax],alkd> !token e1c8d9d8_TOKEN e1c8d9d8TS Session ID: 0User: S-1-5-18Groups: 00 S-1-5-32-544 Attributes - Default Enabled Owner 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-11 Attributes - Mandatory Default Enabled Primary Group: S-1-5-18Privs: 00 0x000000007 SeTcbPrivilege Attributes - Enabled Default 01 0x000000002 SeCreateTokenPrivilege Attributes - 02 0x000000009 SeTakeOwnershipPrivilege Attributes - 03 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled Default 04 0x000000004 SeLockMemoryPrivilege Attributes - Enabled Default 05 0x000000003 SeAssignPrimaryTokenPrivilege Attributes - 06 0x000000005 SeIncreaseQuotaPrivilege Attributes - 07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default 08 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled Default 09 0x000000014 SeDebugPrivilege Attributes - Enabled Default 10 0x000000015 SeAuditPrivilege Attributes - Enabled Default 11 0x000000008 SeSecurityPrivilege Attributes - 12 0x000000016 SeSystemEnvironmentPrivilege Attributes - 13 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 14 0x000000011 SeBackupPrivilege Attributes - 15 0x000000012 SeRestorePrivilege Attributes - 16 0x000000013 SeShutdownPrivilege Attributes - 17 0x00000000a SeLoadDriverPrivilege Attributes - 18 0x00000000d SeProfileSingleProcessPrivilege Attributes - Enabled Default 19 0x00000000c SeSystemtimePrivilege Attributes - 20 0x000000019 SeUndockPrivilege Attributes - 21 0x00000001c SeManageVolumePrivilege Attributes - 22 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 23 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default Authentication ID: (0,3e7)Impersonation Level: AnonymousTokenType: PrimarySource: *SYSTEM* TokenFlags: 0x89 ( Token in use )Token ID: 1237d ParentToken ID: 0Modified ID: (0, 1237f)RestrictedSidCount: 0 RestrictedSids: 00000000
0 0
- windbg学习---!process
- windbg-.process切换进程
- windbg-!process显示进程
- WINDBG学习
- windbg 学习
- WinDbg学习
- windbg .process命令的一个注意事项
- 65.windbg-!process显示进程(内核)
- 66.windbg-.process切换进程(内核)
- Process学习
- WinDbg学习笔记(一)--认识WinDbg
- WinDbg学习笔记(一)--认识WinDbg
- WinDbg学习笔记(一)--认识WinDbg
- WinDbg学习笔记(一)--认识WinDbg
- WinDbg学习笔记(一)--认识WinDbg
- WinDbg学习笔记(转)
- windbg学习0
- WinDbg学习笔记整理
- 实现memmove
- source insight 字体设置
- JDBC连接Oracle数据库
- 如何创建跨浏览器的HTML5表单
- hihocoder:01背包
- windbg学习---!process
- hdu 1789 Ding Homework again 贪心
- Oracle中编码与字符转换
- hadoop中每个节点map和reduce个数的设置调优
- Spring_3_Spring的依赖注入_setter方法和构造函数方法
- STM32F429 LTDC学习笔记1
- unity+高通vuforia开发增强现实(AR)教程(一)
- [Python]sqlite3二进制文件存储问题(BLOB)(You must not use 8-bit bytestrings unless you use a text_factory...)
- uva 12033 - Game of CS(树形删边)
